In 1993, the internet was in its infancy, Mark Zuckerberg was nine years old, and Facebook was just a twinkle in his eye. That same year, the Privacy Act was passed in New Zealand.

It was the first national information privacy law outside Europe to apply to both the public and private sectors. It was considered a ground-breaking piece of legislation and it went a long way to advancing the privacy rights of individuals in New Zealand.

A lot has changed since then. Social media, ecommerce, cloud computing, and Big Data have all conspired to make personal data the new oil — a commodity that is bought and sold to the highest bidder. The updated Privacy Act 2020 includes stricter data protection rules and raises the standard of privacy when it comes to dealing with clients’, customers’ and employees’ personal information.

Privacy Breaches

The Privacy Act 2020 came into effect on 1 December 2020 and replaces the 1993 Act. The new law retains many of the original principles of the 1993 Act with some notable tweaks.

One of the most significant changes is that businesses must now report any privacy breach, i.e. where private personal information is lost, made public, or accessed by unauthorised parties that could cause, or has caused, serious harm to the individuals involved.

The mandatory breach notification principle means businesses will have to notify the people whose information has been leaked and also report the breach to the Office of the Privacy Commissioner. Previously, it was up to individuals to make a complaint and prove they had been harmed as a result of a privacy breach.

Cost of Compliance

The Office of the Privacy Commissioner can issue compliance notices to organisations not meeting the standards laid out in the new Act, highlighting the steps they need to take to comply and a timeframe to meet their new obligations. If they fail to implement the necessary compliance steps, they can be fined up to $10,000.

New offences under the Act makes it illegal to mislead an agency in order to access personal information, and it is a criminal offence for an organisation to destroy personal information after a request has been made to access it. The penalty is a fine of up to $10,000.

Individuals who have suffered serious harm as a result of a breach in privacy can also take a class action to the Human Rights Review Tribunal, which can award up to $350,000 to each member of a class action.

Information is Power

The new Act has been updated to ensure that businesses and organisations do not collect information from people that is not necessary. The protection for children and young people is designed to be ‘fairer’ with consideration given to whether it is appropriate or not to collect information in the first place.

The Privacy Commissioner will also be able to order businesses and organisations to give people access to the personal information held on them, and this order is enforceable in the Human Rights Review Tribunal.

Big Tech

The Act applies to both New Zealand and overseas organisations and includes a number of safeguards to control when and how data can be shared overseas.

Extraterritorial effect means that overseas businesses trading in New Zealand (e.g., Google, Facebook, etc.) are subject to the Act regardless of where the information is collected or held or where the person is located. This means that companies like Google and Facebook will have to abide by the Act, despite the fact they have no physical presence in New Zealand.  

Where information or data is sent overseas, the receiving agency overseas needs to be subject to similar laws as in the New Zealand Act. Otherwise, the person must be fully informed and provide consent.


The updated Privacy Act is a step in the right direction for New Zealand. Protecting personal data is vital in the interconnected world we live in. Cybersecurity and privacy breaches cost New Zealand businesses millions of dollars every year.

The Act doesn’t just apply to big business. Any company that has any personal information must adhere to the new standards and regulations in the Act to protect that information securely. Now more than ever, business owners need to ensure their organisations have appropriate privacy and data protection processes in place.

The introduction of the new Act is a good time to assess your current privacy practices to ensure they are up-to-date and fit for purpose.

If you have any questions about the new legislation, please feel free to call us at Aspiring Law.


Business & Commercial Business advisory Employment & HR Workplace policies